CVE-2022-43416
Description
Jenkins Katalon Plugin 1.0.32 and earlier allows agent-to-controller command execution, enabling attackers with agent control to run arbitrary OS commands on the controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Katalon Plugin 1.0.32 and earlier allows agent-to-controller command execution, enabling attackers with agent control to run arbitrary OS commands on the controller.
Vulnerability
Description
The Jenkins Katalon Plugin versions 1.0.32 and earlier implement an agent/controller message that does not restrict where it can be executed. This message allows invoking Katalon with attacker-controlled version, install location, and arguments. The root cause is the use of hudson.remoting.Callable without proper role checking, as shown in the fix commit [4].
Exploitation
An attacker who can control an agent process (e.g., by having Agent/Configure permission or compromising an agent) can send this message to the Jenkins controller. If the attacker also has the ability to create files on the controller (for example, attackers with Item/Configure permission could archive artifacts), they can achieve arbitrary OS command execution by crafting arguments that invoke commands [1][3].
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands on the Jenkins controller, leading to full compromise of the Jenkins instance and potential lateral movement within the network [2].
Mitigation
The vulnerability is fixed in Katalon Plugin versions 1.0.33 and 1.0.34 [1][2]. Users should upgrade to these versions immediately. No workaround is available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:katalonMaven | < 1.0.33 | 1.0.33 |
Affected products
2- Range: unspecified
Patches
10ee4b34afdcbMerge pull request #27 from Minh-Chien/master
1 file changed · +2 −6
src/main/java/com/katalon/jenkins/plugin/helper/ExecuteKatalonStudioHelper.java+2 −6 modified@@ -7,8 +7,7 @@ import hudson.FilePath; import hudson.Launcher; import hudson.model.TaskListener; -import hudson.remoting.Callable; -import org.jenkinsci.remoting.RoleChecker; +import jenkins.security.MasterToSlaveCallable; import java.util.HashMap; import java.util.Map; @@ -27,7 +26,7 @@ public static boolean executeKatalon( String xvfbConfiguration) { Logger logger = new JenkinsLogger(taskListener); try { - return launcher.getChannel().call(new Callable<Boolean, Exception>() { + return launcher.getChannel().call(new MasterToSlaveCallable<Boolean, Exception>() { @Override public Boolean call() throws Exception { @@ -54,9 +53,6 @@ public Boolean call() throws Exception { } return true; } - @Override - public void checkRoles(RoleChecker roleChecker) throws SecurityException { - } }); } catch (Exception e) { String stackTrace = Throwables.getStackTraceAsString(e);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-q6f6-6c4p-xph4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43416ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- github.com/jenkinsci/katalon-plugin/commit/0ee4b34afdcba367b547aa0a706cb1c66ac9f45aghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
News mentions
0No linked articles in our index yet.